b'               \xc2\xa0\n\n               \xc2\xa0\n\n               \xc2\xa0     U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n               \xc2\xa0     OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\n\n\n\n                     Improved Internal Controls\n                     Needed in the\n                     Gulf of Mexico Program Office\n                     Report No. 13-P-0271                    May 30, 2013\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:                               Patrick Gilbride\n                                                   Randy Holthaus\n                                                   Raul Adrian\n                                                   Lisa Bergman\n\n\n\n\nAbbreviations\n\nANSP          Agency Network Security Policy\nCIO           Chief Information Officer\nCOTR          Contracting Officer\xe2\x80\x99s Technical Representative\nEPA           U.S. Environmental Protection Agency\nFISMA         Federal Information Security Management Act\nFMFIA         Federal Managers\xe2\x80\x99 Financial Integrity Act\nFTE           Full Time Equivalent\nFY            Fiscal Year\nGAO           U.S. Government Accountability Office\nGMPO          Gulf of Mexico Program Office\nGPRA          Government Performance and Results Act\nIMO           Information Management Officer\nISO           Information Security Officer\nISP           Information Security Policy\nIT            Information Technology\nLAN           Local Area Network\nNCCR          National Coastal Condition Report\nNIST          National Institute of Standards and Technology\nOEAEE         Office of External Affairs and Environmental Education\nOEI           Office of Environmental Information\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\nOW            Office of Water\nSIO           Senior Information Officer\n\n\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  email:     OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue, NW\n  fax:       202-566-2599                                       Mailcode 2431T\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency \t                                              13-P-0271\n                                                                                                          May 30, 2013\n                        Office of Inspector General\n\n\n                        At a Glance\n\nWhy We Did This Review              Improved Internal Controls Needed in the\nThe Gulf of Mexico is one of        Gulf of Mexico Program Office\nthe U.S. Environmental\nProtection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s)          What We Found\nLarge Aquatic Ecosystem\nprograms. Due to its size and       Two of GMPO\xe2\x80\x99s performance measures are unrealistic in that they do not reflect\nrich biodiversity, the Gulf is      what the office was set up to achieve. The two unrealistic measures involve the\ncritically important for the        size of the hypoxic zone and the National Coastal Condition Report Index.\nnation\xe2\x80\x99s environmental and          Further, one strategic objective (environmental education) is not being measured.\neconomic well-being. Recent         This occurred because GMPO had not performed an assessment of its strategic\nenvironmental disasters, such       objectives and performance measures, as required by governmentwide internal\nas Hurricane Katrina and the        control standards. As a result, some of the functions that GMPO performs are not\nBP Deepwater Horizon oil spill,     being properly measured and, thus, GMPO\xe2\x80\x99s resources might not be used in the\nhave focused national attention     most efficient or effective way.\non the Gulf region.\nConsequently, our objective         GMPO management did not ensure that its Local Area Network (LAN) was\nwas to determine whether the        secure, did not have primary information security controls in place, and did not\nGulf of Mexico Program Office       ensure the contractor met the security requirements in the LAN contract. This\n(GMPO) had established              occurred because the GMPO\xe2\x80\x99s former Acting Director was not trained on and\neffective internal controls over    therefore not technically knowledgeable of federal and agency IT security\nprogram operations.                 requirements. As a result, GMPO\xe2\x80\x99s LAN is vulnerable to individuals and groups\n                                    with malicious intentions, and EPA has not received the full benefit of the\nThis report addresses the           $749,755 paid over 4 years for LAN security services.\nfollowing EPA Goal or\nCross-Cutting Strategy:             The GMPO Web page displayed inaccurate data for over 18 months. GMPO did\n                                    not perform a review of the content before posting, use a Content Manager to\n\xef\x82\xb7 Protecting America\xe2\x80\x99s waters.      review the content, or follow EPA\xe2\x80\x99s Web governance policies or content review\n                                    procedures. This occurred because GMPO personnel were not aware of the EPA\n                                    Web governance policies or content review procedures. Because information\n                                    posted on EPA\xe2\x80\x99s Web pages is accessed by the public, inaccurate data can\n                                    negatively impact EPA\xe2\x80\x99s credibility.\n\n                                     Recommendations and Planned Agency Corrective Actions\n                                    We recommend that GMPO conduct a risk assessment of its strategic objectives\n                                    and measures, and work with the Office of Water to adjust those measures as\n                                    needed to accurately reflect GMPO\xe2\x80\x99s mission. We recommend that GMPO and\n                                    Region 4 officials correct the LAN security controls deficiencies. We also\n                                    recommend that GMPO complete actions to establish an office Web content\n                                    review process. Further, we recommend that the Office of Environmental\n                                    Information address LAN deficiencies and, along with the Office of External\nFor further information, contact\n                                    Affairs and Environmental Education, monitor GMPO Web actions. EPA agreed\nour Office of Congressional and\nPublic Affairs at (202) 566-2391.   with 12 of our 13 recommendations and proposed a satisfactory alternative\n                                    corrective action for the remaining recommendation.\nThe full report is at:\nwww.epa.gov/oig/reports/2013/\n20130530-13-P-0271.pdf\n\x0c                        UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                     WASHINGTON, D.C. 20460\n\n\n                                                                                     THE INSPECTOR GENERAL\n\n\n\n\n                                             May 30, 2013\n\nMEMORANDUM\n\nSUBJECT:\t Improved Internal Controls Needed in the Gulf of Mexico Program Office\n          Report No. 13-P-0271\n\nFROM: \t        Arthur A. Elkins Jr.\n\nTO:\t           See Below\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the problems\nthe OIG has identified and corrective actions the OIG recommends. This report represents the opinion of\nthe OIG and does not necessarily represent the final EPA position. Final determination on matters in this\nreport will be made by EPA managers in accordance with established audit resolution procedures.\n\nAction Required\nThe agency concurred with recommendations 1 through 12, and proposed a satisfactory alternative\ncorrective action for recommendation 13. Therefore, we accept EPA\xe2\x80\x99s response and planned\ncorrective actions for all 13 recommendations and no further response is needed. We have no objections\nto the further release of this report to the public. We will post this report to our website at\nhttp://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact Richard Eyermann,\nActing Assistant Inspector General for Audit, at (202) 566-0565 or Eyermann.Richard@epa.gov;\nor Patrick Gilbride, Product Line Director, at (303) 312-6969 or Gilbride.Patrick@epa.gov.\n\n\nAddressees: \n\nNancy Stoner, Acting Assistant Administrator, Office of Water \n\nMalcolm D. Jackson, Assistant Administrator and Chief Information Officer, \n\n   Office of Environmental Information\nBen Scaggs, Director, Gulf of Mexico Program Office\nA. Stanley Meiburg, Acting Regional Administrator, Region 4\nTom Reynolds, Associate Administrator, Office of External Affairs and\n   Environmental Education\n\x0cImproved Internal Controls Needed in the                                                                                     13-P-0271\nGulf of Mexico Program Office\n\n\n                                   Table of Contents\nChapters\n   1     Introduction ...........................................................................................................      1\n\n\n                 Purpose ..........................................................................................................    1     \n\n                 Background ....................................................................................................       1     \n\n                 Scope and Methodology .................................................................................               3     \n\n                 Prior Audit Reports .........................................................................................         3     \n\n\n   2     GMPO\xe2\x80\x99s Performance Measures Need Improvement ........................................                                         4\n\n\n                 Federal Laws, Standards, and Policies Require Risk Assessment ................                                        4\n\n                 Two GMPO Performance Measures Are Unrealistic ......................................                                  5\n\n                 One Key GMPO Activity Not Measured..........................................................                          5\n\n                 GMPO Did Not Perform a Programmatic Risk Assessment ...........................                                       6\n\n                 GMPO\xe2\x80\x99s Performance Not Properly Assessed and Resources\n                     May Not Be Used in the Most Efficient Manner......................................                                6\n\n                 Conclusions....................................................................................................       7\n\n                 Recommendations .........................................................................................             7\n\n                 Agency Comments and OIG Evaluation .........................................................                          7\n\n\n   3     GMPO\xe2\x80\x99s Local Area Network Not Secured..........................................................                               8\n\n\n                 Requirements for Information Security Controls............................................. 8 \n\n                 GMPO Management Did Not Secure Its LAN and Received\n                     No Oversight From OW IT Managers ..................................................... 11 \n\n                 GMPO Manager Was Not Trained on IT Security and OW IT\n                     Managers Were Not Aware of LAN ........................................................ 12 \n\n                 GMPO LAN Is Vulnerable and EPA Paid for Security Not Received ............. . 12 \n\n                 EPA Management Actions Taken During Our Audit ....................................... 12 \n\n                 Conclusions.................................................................................................... 13 \n\n                 Recommendations ......................................................................................... 13 \n\n                 Agency Comments and OIG Evaluation ......................................................... 14 \n\n\n   4\t    GMPO Needs a Process to Review Data Prior to \n\n         Posting on the EPA Public Access Website....................................................... 15 \n\n\n                 Requirements for Web Management and Content Review ............................                                      15 \n\n                 GMPO Posted Inaccurate Data on the EPA Public Access Website .............                                           16 \n\n                 GMPO Personnel Were Not Aware of Web Content Review Requirements\n                      and EPA Management Did Not Monitor for Compliance .......................                                       16 \n\n                 Inaccurate Data Can Impact EPA\xe2\x80\x99s Credibility ...............................................                         16 \n\n                 EPA Management Actions Taken During Our Audit .......................................                                17 \n\n                 Recommendations .........................................................................................            17 \n\n                 Agency Comments and OIG Evaluation .........................................................                         17 \n\n\n\n                                                                 -continued-\n\x0cImproved Internal Controls Needed in the                                                                                13-P-0271\nGulf of Mexico Program Office\n\n\n   Status of Recommendations and Potential Monetary Benefits................................. 18 \n\n\n\n\nAppendices\n   A     Details on Scope and Methodology .................................................................... 20\n\n\n   B     Agency Response ................................................................................................ 22 \n\n\n   C     Distribution ........................................................................................................... 27 \n\n\x0c                                            Chapter 1\n\n                                            Introduction\nPurpose\n                 The purpose of this audit was to determine whether the U.S. Environmental\n                 Protection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s) Gulf of Mexico Program Office (GMPO) had\n                 established effective internal controls over program operations. According to the\n                 U.S. Government Accountability Office (GAO), there are five standards of internal\n                 control:\n\nTable 1: GAO Five Standards of Internal Control\n                               Management and employees should establish and maintain an environment\n  1. Control\n                               throughout the organization that sets a positive and supporting attitude\n     Environment\n                               toward internal control and conscientious management.\n                               Internal control should provide for an assessment of the risks the agency\n  2. Risk Assessment\n                               faces from both external and internal sources.\n                               Internal control activities help ensure that management\xe2\x80\x99s directives are\n  3. Control Activities        carried out. Control activities should be effective and efficient in\n                               accomplishing the agency\xe2\x80\x99s control objectives.\n                               Information should be recorded and communicated to management and\n  4. Information and           others within the entity who need it, and in a form and within a time frame\n     Communications            that enables them to carry out their internal control and other responsibilities.\n                               Internal control monitoring should assess the quality of performance over\n  5. Monitoring\n                               time and ensure that audit and other review findings are promptly resolved.\nSource: Office of Inspector General (OIG) summary of GAO\xe2\x80\x99s Standards for Internal Control in the\nFederal Government, GAO/AIMD-00-21.3.1, November 1999.\n\n\nBackground\n\n                 The Gulf of Mexico is a critical body of water from an economic, recreational, and\n                 ecological standpoint. With about 60 percent of the continental United States\n                 waterways draining into the Gulf, it provides a vast array of economic benefits to the\n                 nation, including oil and gas production, fisheries, and leisure income. Recent high\n                 profile disasters that occurred in the Gulf have focused public and political\n                 attention on the region.\n\n                 EPA\xe2\x80\x99s GMPO was created in 1988 to protect, maintain, and restore the health and\n                 productivity of the Gulf of Mexico while maintaining the economic well-being of the\n                 Gulf region. GMPO\xe2\x80\x99s mission is non-regulatory in nature, relying on a collaborative\n                 approach to work with other government and community organizations in the region.\n\n\n\n\n13-P-0271                                                                                                     1\n\x0c                 EPA established GMPO as a semi-autonomous program. As such, it draws input\n                 from state and federal partners in the Gulf region. Its strategic and budgetary\n                 direction comes from the Office of Water (OW), while it receives administrative\n                 support and oversight from EPA Region 4. GMPO\xe2\x80\x99s offices are located at Stennis\n                 Space Center, Mississippi.\n\n                 GMPO\xe2\x80\x99s strategic partners in the Gulf include the Gulf of Mexico Alliance,\n                 which represents the five adjacent state governments (Florida, Alabama,\n                 Mississippi, Texas and Louisiana); the Gulf of Mexico Business Coalition; the\n                 Gulf Coast Ecosystem Restoration Task Force;1 and various other federal\n                 agencies, such as the National Oceanic and Atmospheric Administration,\n                 U.S. Fish and Wildlife Service, and U.S. Geological Survey.\n\n                 From fiscal years (FYs) 2009 to 2012, GMPO provided $11.8 million for various\n                 environmental and community projects through cooperative agreements,\n                 interagency agreements, and contracts (table 2). During that period, GMPO\xe2\x80\x99s\n                 budget and full time equivalent (FTE) resources remained relatively constant.\n\n                 Table 2: GMPO Yearly Budget Figures, 2009-2012\n                                       Budget         Project funding\n                       FY            ($ millions)       ($ millions)         FTEs\n                      2009               $4.6               $2.5             14.0\n                      2010                 6.0               3.9             14.0\n                      2011                 4.5               2.8             13.0\n                      2012                 5.5               2.6             12.9\n                     Totals             $20.6              $11.8\n                 Source: OW budget reports as of July 18, 2012.\n\n                 GMPO is supported by a local area network (LAN) for information technology\n                 (IT) applications. The LAN consists of a network switch, file server,\n                 approximately 20 workstations, and connections to the EPA-wide area network.\n                 A contractor manages the GMPO LAN under an EPA IT service contract. The\n                 GMPO\xe2\x80\x99s Deputy Director served as the security manager and contracting officer\xe2\x80\x99s\n                 technical representative for the LAN.\n\n                 GMPO maintains Web pages on EPA\xe2\x80\x99s public access website2 where it posts\n                 information about its mission, activities, and accomplishments. GMPO staff\n                 manage Web page content with oversight provided by the GMPO Director and\n                 Deputy Director.\n\n\n\n\n1\n  Per the RESTORE Act, the Gulf Coast Ecosystem Restoration Task Force has now transitioned to the Gulf Coast \n\nEcosystem Restoration Council.\n\n2\n  The EPA public access website address is http://www.epa.gov/gmpo/index.html. \n\n\n\n13-P-0271                                                                                                     2\n\x0cScope and Methodology\n\n            We conducted our audit from May 2012 to March 2013 in accordance with\n            generally accepted government auditing standards. Those standards require that\n            we obtain sufficient, appropriate evidence to provide a reasonable basis for our\n            findings and conclusions based on our evaluation objectives. We believe that the\n            evidence obtained provides a reasonable basis for our findings and conclusions\n            based on our objectives.\n\n            We based our review on GAO\xe2\x80\x99s Standards for Internal Control in the Federal\n            Government issued in 1999, GAO\xe2\x80\x99s Internal Control Management and\n            Evaluation Tool issued in 2001, and other federal criteria and EPA policies\n            pertaining to internal controls. We also reviewed federal criteria and EPA policies\n            and procedures for information security, such as the Federal Information Security\n            Management Act (FISMA), Office of Management and Budget (OMB) Circular\n            A-130, the National Institute of Standards and Technology (NIST) Special\n            Publication 800-53, and the EPA Agency Network Security Policy (ANSP).\n\n            We conducted a site visit at GMPO\xe2\x80\x99s headquarters at the Stennis Space Center,\n            Mississippi; interviewed staff and management; and reviewed controls in place.\n            We also conducted interviews with officials from Regions 4 and 6, OW, and other\n            GMPO stakeholders. Appendix A provides further details on our scope and\n            methodology.\n\nPrior Audit Reports\n\n            GAO issued a report in July 2012, Information Security: Environmental\n            Protection Agency Needs to Resolve Weaknesses, GAO-12-696. The report stated\n            that security control weaknesses pervaded EPA\xe2\x80\x99s systems and networks, thereby\n            jeopardizing the agency\xe2\x80\x99s ability to sufficiently protect the confidentiality,\n            integrity, and availability of its information and systems. The report also found\n            that EPA did not always update system security plans to reflect current agency\n            security control requirements; did not assess management, operational, and\n            technical controls for agency systems based on risk at least annually; and did not\n            implement a corrective action process to track and manage all weaknesses when\n            remedial actions were necessary.\n\n\n\n\n13-P-0271                                                                                      3\n\x0c                                   Chapter 2\n\n  GMPO\xe2\x80\x99s Performance Measures Need Improvement\n\n            Two of GMPO\xe2\x80\x99s performance measures do not reflect what GMPO was designed\n            to achieve and can legitimately influence. Further, one key GMPO activity is not\n            being measured. Applicable federal criteria, such as GAO\xe2\x80\x99s Internal Control\n            Management and Evaluation Tool issued in 2001 and the Government\n            Performance and Results Act (GPRA) Modernization Act issued in 2010, stress\n            the importance of continually assessing the relevance and validity of performance\n            measures through risk assessment. GMPO officials acknowledged that they have\n            not performed a risk assessment of GMPO\xe2\x80\x99s strategic objectives and\n            corresponding performance measures. As a result, the functions that GMPO\n            performs are not being properly measured and GMPO\xe2\x80\x99s resources may not be\n            used in the most efficient or effective way.\n\nFederal Laws, Standards, and Policies Require Risk Assessment\n\n            The GPRA Modernization Act of 2010 (Public Law 111-352) states that an\n            agency\xe2\x80\x99s strategic plans shall contain an identification of key factors external to\n            the agency that could significantly affect the achievement of the general goals and\n            objectives. The law also states that the head of each agency shall make available\n            on its public website and to OMB an update on agency performance which shall\n            explain where a performance goal has not been met, if the performance goal is\n            impractical or infeasible, why that is the case, and what action is recommended.\n\n            GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government (GAO/AIMD-\n            00- 21.3.1), November 1999, states that risk assessment is the identification and\n            analysis of relevant risks associated with achieving the strategic objectives, and\n            forming a basis for determining how risks should be managed.\n\n            The GAO Internal Control Management and Evaluation Tool (GAO-01-1008G),\n            August 2001, states that assumptions made in strategic plans and budgets should\n            be consistent with the agency\xe2\x80\x99s historical experience and current circumstances.\n            It further states that activity-level (i.e., program- or mission-level) objectives flow\n            from, and are linked with, the agency\xe2\x80\x99s entitywide objectives and strategic plans,\n            and are reviewed periodically to assure that they have continued relevance.\n\n            EPA Order 1000.24 CHG 2, Management\xe2\x80\x99s Responsibility for Internal Control,\n            July 18, 2008, states, in accordance with GAO\xe2\x80\x99s Standards for Internal Control in\n            the Federal Government, that risk assessment is the identification and analysis of\n            relevant risk associated with achieving the agency\xe2\x80\x99s mission. It further states that\n            program managers should identify internal and external risks that may prevent the\n            organization from efficiently and effectively meeting its objectives.\n\n\n13-P-0271                                                                                         4\n\x0cTwo GMPO Performance Measures Are Unrealistic\n                 During our review we found that two of GMPO\xe2\x80\x99s core performance measures\n                 required them to achieve targets that they did not have direct control over. The\n                 first of these measures is the hypoxia measure (SP-40),3 which is a measure that\n                 calls for reductions in nutrient releases into the Mississippi River. As mentioned\n                 in Chapter 1, GMPO was created with a non-regulatory mission and has no\n                 authority to regulate or enforce the amount of nutrients released upstream into the\n                 Mississippi River. As a result, GMPO does not have the ability to directly\n                 influence this issue.\n\n                 The second measure is the National Coastal Condition Report (NCCR) 3-year\n                 index measure (GM-435). EPA publishes the NCCR in collaboration with other\n                 federal agencies (National Oceanic and Atmospheric Administration, U.S. Fish\n                 and Wildlife Service, and U.S. Geological Survey). The report covers all the\n                 coastal regions of the country; however, measure GM-435 only refers to the\n                 results pertaining to the Gulf of Mexico region. The overall index for the Gulf is a\n                 compilation of five individual indices measuring a broad range of environmental\n                 conditions: water quality, sediment quality, benthic zone conditions, condition of\n                 coastal habitats, and fish tissue contaminants. This index is expressed in terms of\n                 a 5-point scale which rates the condition of the Gulf as good, fair, or poor. We\n                 spoke to subject matter experts within OW and GMPO and, based on their\n                 opinions, it is not fair to expect that a small program like GMPO, with a non-\n                 regulatory mission and a $5.5 million budget and 13 FTEs, could legitimately\n                 affect this comprehensive rating. OW reported in 2011 that GMPO failed to meet\n                 its targets under this measure four separate times during the period 2007 to 2011.4\n\nOne Key GMPO Activity Not Measured\n                 An important aspect of GMPO\xe2\x80\x99s work\xe2\x80\x94namely, environmental education for\n                 underserved and underrepresented communities\xe2\x80\x94is not captured by any of\n                 GMPO\xe2\x80\x99s current performance measures. Based on our interviews with GMPO\n                 management and staff, we estimated that about 1.8 of its 12.9 FTEs were devoted\n                 to environmental justice-related tasks in FY 2012, yet GMPO did not measure this\n                 activity. Environmental education was one of the strategic objectives for\n                 FY 2012, but progress achieved in this area is currently not being gauged by any\n                 of the performance indicators set for GMPO by OW (as shown in table 3).\n\n\n\n\n3\n  EPA assigns codes to all programmatic performance measures. These codes are used for tracking each program\xe2\x80\x99s \n\nannual commitments in an internal performance tracking database system. For the measures discussed in this \n\nchapter, the acronyms \xe2\x80\x9cGM\xe2\x80\x9d and \xe2\x80\x9cSP\xe2\x80\x9d stand for \xe2\x80\x9cGulf of Mexico\xe2\x80\x9d and \xe2\x80\x9cStrategic Plan,\xe2\x80\x9d respectively. \n\n4\n  National Water Program Best Practices and End of Year Performance Report, FY 2011. \n\n\n\n13-P-0271                                                                                                      5\n\x0cTable 3: GMPO FY 2012 Strategic Objectives/Performance Measures\n                  Objectives\n (per OW National Program Manager\xe2\x80\x99s\nGuidance & FY 2012 President\xe2\x80\x99s Budget)                        Corresponding Performance Measure\nHealthy/resilient coastal habitats                \xef\x82\xb7   Restore/enhance/protect cumulative number of acres of\n                                                      coastal marine habitats.\n                                                  \xef\x82\xb7   National Coastal Condition Report 3-year index.\nSustainable coastal barriers                      \xef\x82\xb7   Restore/enhance/protect cumulative number of acres of\n                                                      coastal marine habitats.\nWise management of sediments/nutrient             \xef\x82\xb7   Reduce releases of nutrients throughout the Mississippi\nlevels                                                River to reduce size of the hypoxia zone (5-year average).\n                                                  \xef\x82\xb7   National Coastal Condition Report 3-year index.\n                                                  \xef\x82\xb7   Bi-national early detection system for harmful algal blooms.\nImproved science monitoring/management            \xef\x82\xb7   Restore water and habitat quality standards in impaired\nefforts for water quality/seafood safety              segments in 13 priority areas.\n                                                  \xef\x82\xb7   National Coastal Condition Report 3-year index.\nEnvironmental education for underserved/          \xef\x82\xb7   None\nunderrepresented communities\nSource: OIG analysis of information obtained from OW\xe2\x80\x99s website and GMPO\xe2\x80\x99s Chief Scientist.\n\n\nGMPO Did Not Perform a Programmatic Risk Assessment\n\n                 GMPO did not conduct a risk assessment of its programmatic performance\n                 measures. GMPO officials stated that they did not perform a risk assessment of\n                 their programmatic performance measures because, due to its unique nature as a\n                 semi-independent program, its strategic objectives were set in consultation with\n                 external stakeholders. GMPO officials stated, however, that they had recently\n                 begun the process of formally assessing GMPO\xe2\x80\x99s goals and objectives in a\n                 manner consistent with its non-regulatory mission, in the context of OW\xe2\x80\x99s\n                 strategic plan. As a result of this process, GMPO officials developed a new set of\n                 performance measures that they believe will more accurately convey the work\n                 GMPO performs. GMPO submitted its proposed measures to OW for\n                 consideration on January 11, 2013.\n\nGMPO\xe2\x80\x99s Performance Not Properly Assessed and Resources\nMay Not Be Used in the Most Efficient Manner\n\n                 By not having performance measures in place that reflect what GMPO was\n                 designed to achieve or that do not capture all of the program\xe2\x80\x99s key activities,\n                 GMPO\xe2\x80\x99s performance is not being assessed in a comprehensive manner.\n                 Consequently, OW cannot report an accurate assessment of the program results to\n                 OMB. Further, some of GMPO\xe2\x80\x99s limited resources are being spent on activities\n                 associated with the two unrealistic performance measures and, as a result, those\n                 resources may not be spent in the most efficient manner.\n\n\n\n\n13-P-0271                                                                                                   6\n\x0cConclusions\n\n            By not conducting a risk assessment of its programmatic performance measures,\n            GMPO was unable to determine that there was a high risk of not achieving the\n            results required by two of the measures, as described in this chapter. Further,\n            environmental education was a strategic goal for GMPO in FY 2012 yet no\n            performance measure was assigned for this activity. As a result, GMPO is being\n            held accountable for measures it cannot realistically achieve, and is also not being\n            held accountable for one key mission-related activity it performs.\n\nRecommendations\n\n            We recommend that the Director, Gulf of Mexico Program Office:\n\n               1.\t Conduct a risk assessment of GMPO strategic control objectives and\n                   programmatic performance measures.\n\n            We recommend that the Assistant Administrator for Water:\n\n               2.\t Evaluate the results of GMPO\xe2\x80\x99s risk assessment and work with GMPO\n                   management to make the necessary changes to its objectives and\n                   measures, so GMPO can accurately measure performance.\n\nAgency Comments and OIG Evaluation\n            OW and GMPO concurred with recommendations 1 and 2, but requested guidance\n            to better understand how to conduct a risk assessment. In subsequent discussions,\n            we provided additional information on the subject from the Office of the Chief\n            Financial Officer\xe2\x80\x99s website and also encouraged OW and GMPO to speak with the\n            Office of the Chief Financial Officer for more guidance. Based on those\n            discussions, OW agreed to complete corrective actions for recommendation 1 by\n            December 31, 2013, and for recommendation 2 by June 30, 2014.\n\n            EPA also requested in its response to our draft report that we delete remarks by one\n            of the members of OW\xe2\x80\x99s Accountability Staff. We made that deletion from this\n            report as it does not affect the message conveyed.\n\n            Appendix B contains EPA\xe2\x80\x99s official response.\n\n\n\n\n13-P-0271                                                                                      7\n\x0c                                   Chapter 3\n\n            GMPO\xe2\x80\x99s Local Area Network Not Secured\xc2\xa0\n            GMPO management did not secure the GMPO LAN and did not ensure the\n            contractor met the security requirements in the LAN contract. OW IT managers did\n            not provide oversight for the GMPO LAN. Federal laws, directives, and standards\n            for information security and EPA policies require EPA to provide information\n            security protection. GMPO\xe2\x80\x99s former Acting Director, serving as the GMPO\n            security manager and LAN contracting officer\xe2\x80\x99s technical representative (COTR),\n            was not trained on, and therefore not technically knowledgeable of, federal and\n            agency IT security requirements. Further, one OW IT manager was not aware that\n            the GMPO LAN existed and another OW IT manager believed that GMPO\n            received IT support from Region 4. Without adequate security controls, the GMPO\n            LAN is vulnerable to individuals and groups with malicious intentions who may\n            launch attacks against the LAN or use it to launch attacks against other computer\n            systems and networks, such as the EPA-wide area network. In addition, EPA has\n            not received the full benefit of the $749,755 paid over 4 years for the LAN services\n            because the contractor did not fulfill the mandated security requirements contained\n            in the contract.\n\nRequirements for Information Security Controls\n            Federal guidance provides a comprehensive framework for ensuring the\n            effectiveness of information security controls over information resources that\n            support federal operations and assets. EPA information security policies establish\n            and define the principles to meet the security controls requirements in FISMA,\n            OMB circulars, and other federal and agency standards. EPA contracts for the\n            GMPO LAN services include references to the federal and agency information\n            security requirements that the contractor must meet to properly protect IT\n            resources.\n\n            Federal Information Security Laws, Directives, and Standards\n\n            FISMA requires each federal agency to develop, document, and implement an\n            agencywide information security program. The program should provide security\n            for the information and information systems that support the operations and assets\n            of the agency, including those that other agencies, contractors, or other sources\n            provide or manage. According to FISMA, each agency is responsible for\n            providing information security protections, commensurate with risk, for\n            information collected or maintained by, or on behalf of, the agency, and\n            information systems used or operated by the agency or on its behalf. FISMA\n            requires that a chief information officer or a comparable official of the agency be\n            responsible for developing and maintaining an agencywide information security\n\n\n13-P-0271                                                                                     8\n\x0c                program. FISMA also requires agencies to maintain and update annually an\n                inventory of major information systems, including those provided or managed by\n                another agency, contractor, or other source. FISMA requires that agencies comply\n                with security control standards issued by NIST.\n\n                OMB Circular No. A-130, Appendix III, Security of Federal Automated\n                Information Resources, issued November 28, 2000, sets forth four security\n                controls: (1) assignment of responsibility for security, (2) security planning,\n                (3) periodic review of security controls, and (4) management authorization\n                (currently called security authorization). This Circular also states that if one of\n                these basic controls is missing, an agency should consider identifying a deficiency\n                in accordance with OMB and the Federal Managers\xe2\x80\x99 Financial Integrity Act\n                (FMFIA) reporting requirements.\n\n                NIST Special Publication 800-53, Revision 3,5 provides detailed information on\n                the security control standards, their function, and purpose. Security controls are\n                safeguards or countermeasures employed within an organizational information\n                system to protect the confidentiality, integrity, and availability of the system and\n                its information. There are three general classes of security controls: management,\n                operational, and technical. Security training is an operational security control that\n                requires the organization to provide role-based security-related training to\n                information system managers before authorizing access to the system or\n                performing assigned duties.\n\n                EPA Information Security Policies\n\n                EPA\xe2\x80\x99s Office of Environmental Information (OEI) manages and issues\n                information technology/information management-related policies. During our\n                audit, we reviewed EPA\xe2\x80\x99s operations for the period 2009 through 2012. During\n                this period, four IT security policies applicable to EPA networks were in effect for\n                various amounts of time. The first was the ANSP, Chief Information Officer\n                (CIO) 2150.0, November 2007, which was in effect until it was superseded in\n                August 2011 by the Interim ANSP, CIO 2150.1. This policy was then superseded\n                by the Interim Agency Information Security Policy (ISP), CIO 2150.2 of April\n                2012. The Interim ISP was then replaced in August 2012 by the policy that is\n                currently in effect, the ISP, CIO 2150.3. The ANSP of 2007 was in effect for the\n                greatest amount of time during our review period.\n\n                The ANSP of 2007 was the security policy for the EPA network and associated\n                IT resources. This policy established and defined the principles needed to meet\n                the security controls requirements in FISMA, OMB circulars, and other federal\n                and agency standards. Listed below are some of the IT managers\xe2\x80\x99 responsibilities\n                for information security.\n\n\n5\n NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems\nand Organizations, was issued in August 2009 and updated May 1, 2010.\n\n\n13-P-0271                                                                                                     9\n\x0c                 Senior Information Officers (SIOs) are responsible for the following for their\n                 respective offices:\n\n                     \xef\x82\xb7\t Ensuring effective processes and procedures are established and\n                        implemented for compliance with agency information and IT policies,\n                        procedures, operations, and standards.\n                     \xef\x82\xb7\t Ensuring IT personnel manage operating systems effectively, including\n                        use of an internal monitoring program to evaluate policy effectiveness that\n                        is consistent with federal and agency security standards and requirements.\n                     \xef\x82\xb7\t Ensuring that personnel are sufficiently trained to comply with federal and\n                        agency security standards and requirements.\n\n                 The Information Management Officer (IMO) is responsible for:\n\n                     \xef\x82\xb7  Implementing and administering network security policy within their\n                        organization.\n                     \xef\x82\xb7 Conducting comprehensive assessments of management, operational, and\n                        technical security controls in an information system.\n                     \xef\x82\xb7\t Determining and certifying the extent to which the controls are\n                        implemented correctly, operating as intended, and producing the desired\n                        outcome with respect to meeting the security requirements for the system.\n                     \xef\x82\xb7\t Making accreditation recommendations to the SIO serving as the \n\n                        Authorizing Official. \n\n\n                 Information Security Officer (ISO) responsibilities include:\n\n                     \xef\x82\xb7\t Ensuring that periodic testing of security controls is conducted and those\n                        controls are operating effectively.\n                     \xef\x82\xb7\t Assisting general support system and major application managers in\n                        planning for and establishing adequate security for the general support\n                        system or major application as appropriate.6\n                     \xef\x82\xb7\t Providing ongoing user security awareness and training.\n\n                 Another ANSP requirement was that the agency must monitor contractor\n                 compliance with information security responsibilities as specified in agency\n                 contracts.\n\n\n\n\n6\n  OMB Circular No. A-130, Appendix III, defines \xe2\x80\x9cgeneral support system\xe2\x80\x9d as an interconnected set of information\nresources under the same direct management control which shares common functionality. A system normally\nincludes hardware, software, information, data, applications, communications, and people. A system can be, for\nexample, a LAN including smart terminals that supports a branch office, an agencywide backbone, or a\ncommunications network.\n\n\n13-P-0271                                                                                                     10\n\x0c                EPA Contracts for LAN Services\n\n                GMPO obtained LAN services through two IT support contracts for the period\n                covering 2004 through 2016.7 The first contract ended in October 2011. The\n                period of performance for the second contract began in October 2011 and\n                contained option years through 2016. The statement of work or performance work\n                statement for each of the contracts contained the requirement to implement EPA\xe2\x80\x99s\n                security policies. The second contract also stated that the contractor shall comply\n                with FISMA. The total amount GMPO paid for the LAN services contracts from\n                2009 through 2012 was $749,755. GMPO paid $540,382 for the first contract\n                from 2009-2011 and $209,373 for the second contract from 2011\xe2\x80\x932012.\n\nGMPO Management Did Not Secure Its LAN and Received\nNo Oversight From OW IT Managers\n\n                GMPO management did not provide security controls, and OW IT managers did\n                not provide oversight for the GMPO LAN. Specifically, GMPO and OW IT\n                managers did not establish security controls for assigning responsibility for\n                security, security planning, or periodic review of security controls for 2009 through\n                2012. The OW and GMPO IT managers also did not obtain authorization to operate\n                the GMPO LAN and did not include it in the EPA system inventory.\n\n                In addition, the former Acting Director certified several statements in the GMPO\n                2011 FMFIA assurance letter and supporting documents that were not factual.\n                These statements were:\n\n                    1.\t GMPO\xe2\x80\x99s Information Security Plan and LAN Contingency Plan were\n                        developed in accordance with FISMA and EPA requirements.\n                    2.\t Periodic security reviews and updates are conducted to ensure that the\n                        GMPO Information Security Plan is effectively implemented.\n                    3.\t GMPO\xe2\x80\x99s Security Plan has been certified by a third party vendor to test\n                        security controls.\n                    4.\t OW had conducted semiannual IT security reviews that resulted in no\n                        issues being identified.\n\n                The GMPO LAN security planning did not comply with FISMA and EPA\n                requirements, did not contain evidence that periodic security reviews or third\n                party vendor security certification were provided by the GMPO, and the OW ISO\n                verified that there were no IT security reviews conducted by OW for the GMPO\n                LAN. While the 2011 FMFIA assurance letter cited the former Acting Director as\n                the GMPO security manager, the OW SIO never assigned the person that position\n                or the associated responsibilities.\n\n\n7\n The first contract was 68-W-04-005, awarded January 8, 2004; the second contract was HHSN263999900033I,\nawarded August 25, 2011.\n\n\n13-P-0271                                                                                                  11\n\x0cGMPO Manager Was Not Trained on IT Security and OW IT Managers\nWere Not Aware of LAN\n\n                GMPO\xe2\x80\x99s former Acting Director, serving as the GMPO security manager, was not\n                trained on and therefore not technically knowledgeable of federal and agency IT\n                security requirements. The GMPO Chief of Staff did not have any knowledge that\n                the former Acting Director had taken any specialized security training, and was\n                unable to provide any support showing that the Acting Director took such courses.\n                The former Acting Director also served as the COTR and did not ensure the\n                contractor met the LAN contract requirements to comply with FISMA and EPA\xe2\x80\x99s\n                security policies. Since the same person served as both the COTR and the GMPO\n                security manager, there was no separation of duties to ensure proper management\n                and oversight. In addition, one OW IT manager was not aware that the GMPO\n                LAN existed and another OW IT manager believed that GMPO received IT\n                support from Region 4.\n\nGMPO LAN Is Vulnerable and EPA Paid for Security Not Received\n\n                Without adequate security controls, the GMPO LAN is vulnerable to individuals\n                and groups with malicious intentions who may obtain sensitive information,\n                commit fraud, disrupt operations, or launch attacks against other computer\n                systems and networks such as the EPA-wide area network. According to the\n                GAO, \xe2\x80\x9cFederal agencies have experienced a significant rise in security incidents\n                in recent years, with data from the U.S. Computer Emergency Readiness Team\n                showing an increase in security incidents and events from 29,999 in 2009 to\n                42,887 in 2011.\xe2\x80\x9d8 In addition, EPA has not received the full benefit of the\n                $749,755 paid over 4 years for LAN services because the contractor did not fulfill\n                the FISMA and EPA security requirements contained in the contract.\n\n                Statements in the FMFIA assurance letter about LAN security were misleading.\n                As a result, OW managers did not have reliable information to detect and correct\n                LAN security problems. Additionally, the GMPO LAN deficiencies should be\n                assessed by agency management to determine whether they are reportable under\n                FMFIA.\n\nEPA Management Actions Taken During Our Audit\n\n                During the course of our review, we informed GMPO and OW IT management of\n                the information security deficiencies identified for the LAN. GMPO and OW IT\n                management took two corrective actions. In December 2012, the GMPO\n                Acting Chief of Staff informed us that the GMPO Director and the Regional\n                Administrator for Region 4 had agreed that Region 4 would assume IT support for\n                the GMPO LAN and associated computer equipment. Region 4 assumed\n8\n GAO Report, Information Security: Environmental Protection Agency Needs to Resolve Weaknesses, GAO-12-696,\nJuly 19, 2012.\n\n\n13-P-0271                                                                                               12\n\x0c                 IT support for the GMPO LAN in April 2013. The OW ISO coordinated with\n                 GMPO management in October 2012 and added the LAN to the EPA information\n                 system inventory.\n\nConclusions\n\n                 GMPO management should take immediate action to secure the LAN in\n                 accordance with federal and agency information security requirements and\n                 complete the corrective actions initiated during our audit. Properly protecting the\n                 GMPO LAN also helps protect other interconnected IT resources such as the\n                 EPA-wide area network. In addition, converting the LAN support to Region 4\n                 IT managers and discontinuing the LAN services contract could result in reduced\n                 costs and potential savings for EPA.\n\nRecommendations\n\n                 We recommend that the Regional Administrator, Region 4:\n\n                      3.\t Require the Region 4 SIO to assign a technically knowledgeable person to\n                          be the security manager of the GMPO LAN.\n\n                      4.\t Require the Region 4 SIO to provide necessary role-based security-related\n                          training to information system managers and staff before authorizing them\n                          access to the system or before performing assigned duties.\n\n                      5.\t Require the Region 4 ISO and IMO to work with the LAN security\n                          manager to plan and implement IT security controls\xe2\x80\x94including system\n                          security planning, periodic review of security controls, and authorization\n                          to operate the LAN\xe2\x80\x94that comply with FISMA, OMB, and NIST\n                          requirements and guidance.\n\n                      6.\t Require the Region 4 ISO and IMO to work with the LAN security\n                          manager to establish a plan of action and milestones to correct the LAN\n                          deficiencies as required by NIST Special Publication 800-53.9\n\n                 We recommend that the Director, Gulf of Mexico Program Office:\n\n                      7.\t Establish internal controls to prevent the LAN security manager duties and\n                          the LAN COTR duties from being assigned to the same individual.\n\n                      8.\t Require the COTR to enforce the contract and make sure the LAN\n                          contractor meets system security requirements in the contract.\n\n9\n  NIST Special Publication 800-53, Revision 3, defines a plan of action and milestones as a document that identifies\ntasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any\nmilestones in meeting the tasks, and scheduled completion dates for milestones.\n\n\n13-P-0271                                                                                                         13\n\x0c               9.\t Provide OW with notice of the erroneous statements and claims made in\n                   prior years\xe2\x80\x99 FMFIA assurance letters regarding IT system security.\n\n            We recommend that the Assistant Administrator for Environmental Information\n            and Chief Information Officer:\n\n               10. Assess the LAN deficiencies identified in this report to determine whether\n                   they should be reported under FMFIA, and act accordingly.\n\nAgency Comments and OIG Evaluation\n            EPA concurred with all of the recommendations in this chapter. We reviewed\n            EPA\xe2\x80\x99s proposed corrective actions and agree that they adequately address our\n            recommendations. Subsequent to our receipt of EPA\xe2\x80\x99s official response to the draft\n            report, we contacted personnel from GMPO and Region 4 to clarify some of the\n            completion dates for the proposed corrective actions. Those dates are shown in the\n            Status of Recommendations chart on page 18 of this report.\n\n            Appendix B contains EPA\xe2\x80\x99s official response.\n\n\n\n\n13-P-0271                                                                                  14\n\x0c                                             Chapter 4\n\n         GMPO Needs a Process to Review Data Prior to \n\n          Posting on the EPA Public Access Website\n\xc2\xa0\n                 The GMPO Web page, on the EPA public access website, displayed inaccurate\n                 data for over 18 months. GMPO did not perform a review of the content before\n                 posting, use a Content Manager to review the content, or follow EPA\xe2\x80\x99s Web\n                 governance policies or content review procedures. The GMPO personnel were not\n                 aware of the EPA Web governance policies or content review procedures. Also,\n                 the CIO and the Associate Administrator for the Office of External Affairs and\n                 Environmental Education (OEAEE) did not ensure that the GMPO complied with\n                 the EPA Web governance policy and content review procedures. Inaccurate data\n                 can negatively impact EPA\xe2\x80\x99s credibility with the public.\n\nRequirements for Web Management and Content Review\n\n                 OEI issues policies and procedures that govern EPA\xe2\x80\x99s public access website.\n                 The Web Governance and Management10 policy established that the EPA will\n                 operate and maintain a public access website to assist in fulfilling the agency\xe2\x80\x99s\n                 mission\xe2\x80\x94to protect the environment and public health. The Web Content Types\n                 and Review Procedure11 established the steps for keeping content on the EPA\n                 website current. The procedure also states that EPA\xe2\x80\x99s website is a fundamental\n                 communication tool for every agency program and region and that effective\n                 management of information is essential.\n\n                 EPA\xe2\x80\x99s Policy for Web Governance and Management\n\n                 EPA\xe2\x80\x99s Web Governance and Management policy12 states that OEI and the\n                 OEAEE share responsibility for governance of EPA\xe2\x80\x99s public access website. The\n                 Web Council provides representative advice for content and infrastructure to the\n                 National Web Content and Infrastructure Managers and, through them, to the\n                 Associate Administrator for OEAEE and Assistant Administrator for OEI.\n                 The Web Council disseminates information from agency leadership to the Web\n                 community. Regional and program offices provide quality content and appropriate\n                 infrastructure to communicate the agency\xe2\x80\x99s work and mission, adhering to the\n                 Web governance and management policy. The policy states that ultimate\n                 accountability for these regional and program areas is at the most senior level,\n                 typically at the assistant administrator or regional administrator level, who must\n\n\n10\n   Web Governance and Management, CIO 2180.0, September 7, 2006.\n\n11\n   Web Content Types and Review Procedure, CIO-2180-P-06.0, March 16, 2011. \n\n12\n   This policy refers to the Office of Public Affairs which was subsequently replaced by OEAEE. \n\n\n\n13-P-0271                                                                                            15\n\x0c            provide sufficient resources and ensure that Web resource allocation is aligned\n            with agency and program priorities.\n\n            EPA\xe2\x80\x99s Web Content Types and Review Procedure\n\n            The Web Content Types and Review Procedure established procedures for\n            determining the content type and review schedules for all content posted on the\n            EPA website. The procedure identifies roles and responsibilities, defines terms,\n            and provides steps to review Web content. The procedure states that EPA\xe2\x80\x99s\n            website is a fundamental communication tool for every agency program and\n            region and that effective management of information is essential. Distinguishing\n            content types and identifying appropriate review schedules are critical to keeping\n            the website current and up to date. Otherwise, Web visitors may have difficulty\n            locating information or determining what information accurately describes current\n            EPA policy decisions and activities. The CIO and the Associate Administrator for\n            OEAEE are jointly responsible for monitoring compliance with this procedure.\n\nGMPO Posted Inaccurate Data on the EPA Public Access Website\n\n            The GMPO Web page, on the EPA public access website, contained inaccurate\n            data for over 18 months. Specifically, the Web page contained inaccurate funding\n            figures in a chart titled The Gulf of Mexico Program at Work, 1988-2010, which\n            showed the amount that each of the five Gulf states spent on projects over that\n            period. The notice on the Web page stated that it was last updated December 14,\n            2010, or about 18 months prior to our identifying the issue in June 2012. There\n            was no evidence of any oversight or monitoring of GMPO\xe2\x80\x99s Web page content or\n            posting by other offices and the inaccurate data went undetected.\n\nGMPO Personnel Were Not Aware of Web Content Review\nRequirements and EPA Management Did Not Monitor for Compliance\n\n            GMPO did not perform a review of the content before posting, use a Content\n            Manager to review the content, or follow the Web Governance and Management\n            or the Web Content Types and Review Procedures. The GMPO personnel were\n            not aware of the EPA Web guidance or the content review procedures. Also, the\n            CIO and the Associate Administrator for OEAEE did not ensure that GMPO\n            complied with the EPA Web governance policy and content review procedures.\n\nInaccurate Data Can Impact EPA\xe2\x80\x99s Credibility\n\n            Inaccurate data can negatively impact EPA\xe2\x80\x99s credibility. The information posted\n            on EPA Web pages is accessed by the public and must be accurate to maintain the\n            public trust and best represent the Administrator and the agency.\n\n\n\n\n13-P-0271                                                                                     16\n\x0cEPA Management Actions Taken During Our Audit\n\n            In June 2012, we identified this issue to GMPO management. GMPO took\n            immediate action and removed the previously identified Web page. The GMPO\n            Director initiated the development of a Web content review process within the\n            office. In addition, GMPO management coordinated with and agreed that the\n            Region 4 Office of External Affairs would provide the GMPO with Web content\n            review and oversight. These corrective actions address part of the causes of this\n            issue.\n\nRecommendations\n\n            We recommend that the Director, Gulf of Mexico Program Office:\n\n               11. Complete development of and implement a Web content review process\n                   within the GMPO to validate the accuracy of data and review the quality\n                   of content to comply with the Web Governance and Management, and the\n                   Web Content Types and Review Procedure.\n\n               12. Complete and implement the agreement with the Region 4 Office of\n                   External Affairs for Web content review and oversight.\n\n            We recommend that the Assistant Administrator for Environmental Information\n            and Chief Information Officer, and the Associate Administrator for External\n            Affairs and Environmental Education:\n\n               13. Establish a schedule for monitoring the GMPO in their enforcement of\n                   Web Content Types and Review Procedure.\n\nAgency Comments and OIG Evaluation\n\n            EPA concurred with recommendations 11 and 12. We reviewed EPA\xe2\x80\x99s proposed\n            corrective actions and agree that they adequately address our recommendations.\n            Regarding recommendation 13, EPA initially expressed nonconcurrence due to a\n            misunderstanding of what they thought the OIG wanted the agency to do. We\n            discussed this matter with personnel from OEI and OEAEE on April 29, 2013.\n            Based on that discussion, we clarified with them that the agency\xe2\x80\x99s proposed\n            alternative corrective action would satisfy the intent of our recommendation.\n            EPA personnel provided a planned completion date of September 30, 2014, for\n            the proposed corrective action for recommendation 13.\n\n            Appendix B contains EPA\xe2\x80\x99s official response.\n\n\n\n\n13-P-0271                                                                                   17\n\x0c                              Status of Recommendations and \n\n                                Potential Monetary Benefits \n\n\n                                                                                                                             POTENTIAL MONETARY\n                                                 RECOMMENDATIONS                                                              BENEFITS (in $000s)\n\n                                                                                                                 Planned\nRec.   Page                                                                                                     Completion   Claimed     Agreed To\nNo.     No.                            Subject                            Status1        Action Official           Date      Amount       Amount\n\n 1      7     Conduct a risk assessment of GMPO strategic control           O        Director, Gulf of Mexico   12/31/2013\n              objectives and programmatic performance measures.                          Program Office\n\n 2      7     Evaluate the results of GMPO\xe2\x80\x99s risk assessment and            O        Assistant Administrator    06/30/2014\n              work with GMPO management to make the necessary                               for Water\n              changes to its objectives and measures, so GMPO can\n              accurately measure performance.\n\n 3      13    Require the Region 4 SIO to assign a technically              C        Regional Administrator,    04/05/2013\n              knowledgeable person to be the security manager of the                       Region 4\n              GMPO LAN.\n\n 4      13    Require the Region 4 SIO to provide necessary role-           O        Regional Administrator,    09/30/2013\n              based security-related training to information system                        Region 4\n              managers and staff before authorizing them access to the\n              system or before performing assigned duties.\n\n 5      13    Require the Region 4 ISO and IMO to work with the             O        Regional Administrator,    09/30/2013\n              LAN security manager to plan and implement IT security                       Region 4\n              controls\xe2\x80\x94including system security planning, periodic\n              review of security controls, and authorization to operate\n              the LAN\xe2\x80\x94that comply with FISMA, OMB, and NIST\n              requirements and guidance.\n\n 6      13    Require the Region 4 ISO and IMO to work with the LAN         O        Regional Administrator,    09/30/2014\n              security manager to establish a plan of action and                           Region 4\n              milestones to correct the LAN deficiencies as required by\n              NIST SP 800-53.\n\n 7      13    Establish internal controls to prevent the LAN security       C        Director, Gulf of Mexico   04/05/2013\n              manager duties and the LAN COTR duties from being                          Program Office\n              assigned to the same individual.\n\n 8      13    Require the COTR to enforce the contract and make sure        C        Director, Gulf of Mexico   04/05/2013\n              the LAN contractor meets system security requirements                      Program Office\n              in the contract.\n\n 9      14    Provide OW with notice of the erroneous statements and        C        Director, Gulf of Mexico   05/13/2013\n              claims made in prior years\xe2\x80\x99 FMFIA assurance letters                        Program Office\n              regarding IT system security.\n\n10      14    Assess the LAN deficiencies identified in this report to      O       Assistant Administrator for 09/30/2013\n              determine whether they should be reported under FMFIA,                Environmental Information\n              and act accordingly.                                                    and Chief Information\n                                                                                              Officer\n\n11      17    Complete development of and implement a Web content           C        Director, Gulf of Mexico   02/28/2013\n              review process within the GMPO to validate the accuracy                    Program Office\n              of data and review the quality of content to comply with\n              the Web Governance and Management, and Web\n              Content Types and Review Procedure.\n\n\n\n\n13-P-0271                                                                                                                                       18\n\x0c                                                                                                                               POTENTIAL MONETARY\n                                                 RECOMMENDATIONS                                                                BENEFITS (in $000s)\n\n                                                                                                                   Planned\nRec.   Page                                                                                                       Completion   Claimed     Agreed To\nNo.     No.                            Subject                              Status1        Action Official           Date      Amount       Amount\n\n12       17    Complete and implement the agreement with the                  C        Director, Gulf of Mexico   02/28/2013\n               Region 4 Office of External Affairs for Web content review                  Program Office\n               and oversight.\n\n13       17    Establish a schedule for monitoring the GMPO in their          O       Assistant Administrator for 09/30/2014\n               enforcement of EPA\xe2\x80\x99s Web Content Types and Review                      Environmental Information\n               Procedure.                                                               and Chief Information\n                                                                                        Officer, and Associate\n                                                                                      Administrator for External\n                                                                                      Affairs and Environmental\n                                                                                               Education\n\n\n\n\n1O = recommendation is open with agreed-to corrective actions pending\n C = recommendation is closed with all agreed-to actions completed\n U = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n13-P-0271                                                                                                                                         19\n\x0c                                                                                    Appendix A\n\n                 Details on Scope and Methodology\nWe conducted our audit from May 2012 to March 2013 in accordance with generally accepted\ngovernment auditing standards. The information we reviewed covered the period 2009 through\n2012. Our scope was limited to assessing whether GMPO had established effective internal\ncontrols over its operations. As such, our tests and audit procedures were designed to provide us\nwith enough evidence to make such determinations.\n\nDuring our audit, we reviewed federal criteria, including:\n\n   \xef\x82\xb7   GPRA Modernization Act of 2010 (Public Law 111-352). \n\n   \xef\x82\xb7   Federal Information Security Management Act of 2002 (FISMA \xe2\x80\x93 44 USC-3541). \n\n   \xef\x82\xb7   Federal Managers Financial Integrity Act of 1982 (FMFIA - Public Law 97-255). \n\n   \xef\x82\xb7   OMB Circular A-130, Management of Federal Information Resources, \n\n       November 28, 2000.\n   \xef\x82\xb7   GAO Standards for Internal Control in the Federal Government\n       (GAO/AIMD-00-21.3.1), November 1999.\n   \xef\x82\xb7    GAO Internal Control Management and Evaluation Tool (GAO-01-1008G),\n       August 2001.\n   \xef\x82\xb7   NIST Special Publication 800-53, Revision 3, Recommended Security Controls for\n       Federal Information Systems.\n\n   We reviewed EPA plans and policies, including:\n\n   \xef\x82\xb7   EPA Order 1000.24 CHG 2, Management\xe2\x80\x99s Responsibility for Internal Control,\n       July 18, 2008.\n   \xef\x82\xb7   EPA\xe2\x80\x99s 2011-2015 Strategic Plan.\n   \xef\x82\xb7   Agency Network Security Policy (ANSP), CIO 2150.0, approved November 27, 2007.\n   \xef\x82\xb7   Interim Agency Network Security Policy (ANSP), CIO 2150.1, approved August 22, 2011.\n   \xef\x82\xb7   Interim Agency Information Security Policy (AISP), CIO 2150.2, April 9, 2012.\n   \xef\x82\xb7   Interim Security Policy (ISP), CIO 2150.3, August 6, 2012.\n   \xef\x82\xb7   Web Governance and Management, CIO 2180.0, September 7, 2006.\n   \xef\x82\xb7   Web Content Types and Review Procedure, CIO 2180-P-06.0, March 16, 2011.\n   We also reviewed GMPO documentation, including:\n\n   \xef\x82\xb7   Selected contracts, grants, and cooperative agreements. \n\n   \xef\x82\xb7   FMFIA Letters of Assurance and supporting schedules for 2011 and 2012. \n\n   \xef\x82\xb7   2011 Work Plan and Accomplishments. \n\n   \xef\x82\xb7   Memorandum of Understanding between GMPO, Region 4, Region 6, and OW\n\n       (1999 amendment). \n\n   \xef\x82\xb7   Physical inventory reports as of May 2012. \n\n\n\n\n13-P-0271                                                                                       20\n\x0cDuring our audit, we interviewed:\n\n   \xef\x82\xb7\t GMPO management and staff.\n   \xef\x82\xb7\t The following OW officials: Director of the Office of Wetlands, Oceans and Watersheds;\n      representatives from the Resource Management Staff, including the Associate Director;\n      the ISO; and the IMO.\n   \xef\x82\xb7\t The following Region 4 officials: Director and staff from the Water Protection Division;\n      Deputy Assistant Regional Administrator and staff from the Office of Policy and\n      Management (including the Comptroller and the Branch Chief for Grants Finance and\n      Cost Recovery); ISO; LAN Administrator; and Director of External Affairs.\n   \xef\x82\xb7 The following OEI officials: the Senior Agency Information Security Officer, and staff\n      from the Policy and Program Management Branch.\n   \xef\x82\xb7 Officials from the Gulf Coast Ecosystem Restoration Task Force, including the Executive\n      Director and the Communications and Engagement Coordinator.\n\n\n\n\n13-P-0271                                                                                  21\n\x0c                                                                                    Appendix B\n\n                                 Agency Response\n                                          April 19, 2013\nMEMORANDUM\n\nSUBJECT:\t Response to Office of Inspector General Draft Report/Project No. OA-FY12-\n          0480, \xe2\x80\x9cImproved Internal Controls Needed in the Gulf of Mexico Program\n          Office,\xe2\x80\x9d dated March 6, 2013\n\nFROM: \t         Nancy K. Stoner\n                Acting Assistant Administrator\n\nTO: \t           Arthur A. Elkins, Jr.\n                Inspector General\n\n\nThank you for the opportunity to respond to the issues and recommendations in the subject audit\nreport. Following is a summary of the U.S. Environmental Protection Agency\xe2\x80\x99s overall position,\nalong with its position on each of the report recommendations. For those report\nrecommendations with which the agency agrees, we have provided either high-level intended\ncorrective actions and estimated completion dates. For those report recommendations with which\nthe agency does not agree, we have explained our position and proposed alternatives to the\nrecommendations. For your consideration, we have included a Technical Comments Attachment\nto supplement this response.\n\nAGENCY\xe2\x80\x99S OVERALL POSITION\nThe agency concurs with twelve of the thirteen recommendations detailed in the report. We do\nnot concur with the remaining one recommendation, and have provided explanations, as required\nby EPA Manual 2750 \xe2\x80\x93 Audit Management Procedures.\n\nAGENCY\xe2\x80\x99S RESPONSE TO REPORT RECOMMENDATIONS\n\nAgreements\nNo. Recommendation                       High-Level Intended Corrective Action(s)       Estimated\n                                                                                        Completion by FY\n 1      The Director, Gulf of Mexico     The Director of the Gulf of Mexico Program     Completion Date\n        Program Office, conduct a risk   requests further information from the OIG on   unknown until\n        assessment of GMPO strategic     the official procedure for conducting a Risk   guidance is\n        control objectives and           Assessment on developing programmatic          provided\n        programmatic performance         performance measures\n        measures.\n 2      The Assistant Administrator,     The Assistant Administrator, Office of         Completion Date\n        Office of Water, evaluate the    Water, requests further information from the   unknown until\n\n\n\n13-P-0271                                                                                     22\n\x0c     results of GMPO\xe2\x80\x99s risk            OIG on the official procedure for conducting     guidance is\n     assessment and work with          a Risk Assessment on developing                  provided\n     GMPO management to make           programmatic performance measures.\n     the necessary changes to its\n     objectives, measures, so\n     GMPO\xe2\x80\x99s can accurately\n     measure performance.\n 3   The Regional Administrator,       Region 4 has taken GMPO servers from their Completed\n     require the Region 4 SIO to       network and placed within the Region 4\n     assign a technically              office in Atlanta. The LAN Administrators\n     knowledgeable person to be        and Information Security Officer (ISO) will\n     the security manager of the       manage the GMPO LAN.\n     GMPO LAN.\n 4   The Regional Administrator ,      All Regional/Agency employees are required       To be completed\n     require the Region 4 SIO to       to take annual security training. GMPO staff     by end of FY13\n     provide necessary role-based      will also be required to take this training as\n     security-related training to      an Agency annual requirement.\n     information system managers\n     and staff before authorizing\n     them access to the system or\n     before performing assigned\n     duties.\n 5   The Regional Administrator,       The GMPO will be included in the Region 4        To be completed\n     require the Region 4 ISO and      Security Plan and Certification &                by end of FY13\n     IMO to work with the LAN          Accreditation process, which will ensure\n     security manager to plan and      compliance with FISMA, OMB, and NIST\n     implement IT security             requirements.\n     controls; including system\n     security planning, periodic\n     review of security controls,\n     and authorization to operate\n     for the LAN that comply with\n     FISMA, OMB, and NIST\n     requirements and guidance.\n 6   The Regional Administrator,       The Regional Administrator Plan of Action     To be completed\n     require the Region 4 ISO and      & Milestones (POAMs) will be generated        by end of FY14\n     IMO to work with the LAN          from the annual Certification &\n     security manager to establish a   Accreditation reviews and these findings will\n     plan of action and milestones     be addressed by the Region 4 ISO, IMO, and\n     to correct the LAN                LAN Administrators.\n     deficiencies as required by\n     NIST SP 800-53.\n 7   The Gulf of Mexico Program,       The Gulf of Mexico Program Office has            Completed April\n     Director, establish internal      completed the transition from our Local          2013\n     controls to prevent the LAN       LAN Server to the Region 4 Server. Our\n     security manager duties and\n\n\n13-P-0271                                                                                      23\n\x0c     the LAN COTR duties from         LAN Security Manager is located in Region\n     being assigned to the same       4 and our LAN COTR is also in Region 4\n     individual.                      and is two separate individuals.\n 8   The Gulf of Mexico Program,      The Gulf of Mexico Program Office LAN IT       Completed April\n     Director, require the COTR to    Support is now under a new contract with       2013\n     enforce the contract and make    Region 4. Region 4 is responsible for\n     sure the LAN contractor meets    making sure the system security\n     system security requirements     requirements are met under the new contract.\n     in the contract.                 LAN Contractor in Region 4 meets the\n                                      system security requirements.\n 9   The Gulf of Mexico Program       The Gulf of Mexico Program Office,             To be completed\n     Office, Director, provide OW     Director and/or Chief of Staff will discuss    by end of April\n     with notice of the erroneous     past submittals of our FMFIA Assurance\n     statements and claims made in    letters regarding IT system security, with\n     prior years\xe2\x80\x99 FMFIA assurance     OW staff.\n     letters regarding IT system\n     security.\n10   The Assistant Administrator      OEI concurs with the recommendation.           QTR4 FY13\n     for Environmental\n     Information and Chief\n     Information Officer , assess\n     the LAN deficiencies\n     identified in this report to\n     determine whether they\n     should be reported under\n     FMFIA, and act accordingly.\n11   Gulf of Mexico Program           The Gulf of Mexico Program Office has         Completed\n     Office, Director, complete       developed a Web Content Review Standard       February 2013\n     development of and               Operation Procedures document which they\n     implement a Web content          follow internally to validate the accuracy of\n     review process within the        the data and comply with all EPA Web\n     GMPO to validate the             procedures. GMPO is now under the\n     accuracy of data and review      administrative structure of Region 4 Office\n     the quality of content to        of Information and External Affairs for our\n     comply with the Web              Web Content and review, and they are\n     Governance and Management,       following the EPA\xe2\x80\x99s official Web review and\n     and Web Content Types and        revision processes.\n     Review Procedure.\n12   Complete and implement the       The Gulf of Mexico Program Office has an       Completed\n     agreement with Region 4          official agreement with Region 4 Office of     February 2013\n     Office of External Affairs for   External Affairs and is under their review\n     Web content review and           and oversight.\n     oversight.\n\n\n\n\n13-P-0271                                                                                  24\n\x0cDisagreements\nNo. Recommendation               Agency Explanation/Response                              Proposed Alternative\n13 The Assistant                 The Office of Environmental Information and the          See Agency Response\n      Administrator for          Office of External Affairs and Environmental\n      Environmental              Education concur with the goal of\n      Information and Chief      recommendation 13, and are taking steps to solve\n                                 the issue.\n      Information Officer, and\n      the Associate              We are building a new Web publishing system\n      Administrator for          that will allow for automatic and timely\n      External Affairs and       enforcement of the Web Content Types and\n      Environmental              Review Procedure. Content owners will receive\n      Education, establish a     multiple notices directing them to review their\n      schedule for monitoring    content. If they still fail to review their content on\n      the GMPO in their          time, the content will automatically be removed\n      enforcement of EPA\xe2\x80\x99s       from EPA\xe2\x80\x99s website.\n      Web Content Types and\n      Review Procedure.          All EPA pages, including those owned by GMPO,\n                                 will be in this system by the end of FY 2014.\n\n                                 Per the EPA Web Governance and Management\n                                 Policy\n                                 (http://www.epa.gov/irmpoli8/policies/21800.pdf),\n                                 OEAEE (previously named OPA) and OEI\n                                 oversee governance of epa.gov. We establish\n                                 policy, procedures, and standards, working with\n                                 each office and region through the Web Council.\n                                 The Web Content Types and Review procedure is\n                                 one of many such governing documents. Web\n                                 Council members, in turn, work with their\n                                 colleagues to ensure compliance with\n                                 requirements.\n\n                                 Until the new Web publishing system is fully\n                                 operational at the end of FY 2014, OEI and\n                                 OEAEE will remind the Web Executive Board,\n                                 Web Council, and the EPA Web community of\n                                 the importance of following EPA Web policies,\n                                 procedures, and standards. We will specifically\n                                 highlight the importance of the Web Content\n                                 Types and Review Procedure.\n\n                                 However, it is important to note that OEI and\n                                 OEAEE do not concur with the idea of a special\n                                 monitoring schedule for GMPO. Our offices lack\n                                 the resources to create schedules for monitoring\n                                 specific programs\xe2\x80\x99 compliance with requirements.\n                                 Ultimate accountability for content rests with each\n                                 office and region.\n\n\n\n13-P-0271                                                                                            25\n\x0cCONTACT INFORMATION\n\nIf you have any questions regarding this response, please contact, Michael Mason at 202 564-\n0572 or at mason.michael@epa.gov.\n\nAttachment\ncc:   \tMalcolm Jackson\n      Ben Scaggs\n      Gwendolyn Keyes Fleming\n      James O\xe2\x80\x99Hara\n      Mike Shapiro\n      Diane Altsman\n      Dorothy Rayfield\n      Larry Lincoln\n      Michael Mason\n      Marilyn Ramos\n      Scott Dockum\n      Patrick Gilbride\n      Melissa Heist\n      Randy Holthaus\n      Lisa Bergman\n      Raul Adrian\n\n\n\n\n13-P-0271                                                                                      26\n\x0c                                                                                Appendix C\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Water\nAssistant Administrator for Environmental Information and Chief Information Officer\nDirector, Gulf of Mexico Program Office\nRegional Administrator, Region 4\nAssociate Administrator for External Affairs and Environmental Education\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nPrincipal Deputy Assistant Administrator for Water\nPrincipal Deputy Assistant Administrator for Environmental Information\nDeputy Administrator, Region 4\nAssociate Administrator for Congressional and Intergovernmental Relations\nAudit Follow-Up Coordinator, Office of Water\nAudit Follow-Up Coordinator, Office of Environmental Information\nAudit Follow-Up Coordinator, Region 4\n\n\n\n\n13-P-0271                                                                               27\n\x0c'